[selinux-policy/f17] - Fix dup decl for munin plugins - Allow logwatch to domtrans to mdadm - Backport blueman policy fro
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Feb 4 21:26:10 UTC 2013
commit 35e8a01042189e5d003cb7de0059179e9672b370
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Feb 4 22:24:56 2013 +0100
- Fix dup decl for munin plugins
- Allow logwatch to domtrans to mdadm
- Backport blueman policy from F18
- Allow mozilla-plugin-config to read power_supply info
- Allow fsdaemon to read virt images
- Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it
- Allow sa-update to search admin home for /root/.spamassassin
- Dontaudit attempts from thumb_t to connect to sssd
- Add labeling and filename transition for .grl-podcasts
- Allow mozilla_plugin_t to read files on hugetlbfs
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow logrotate to domtrans to mdadm_t
- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data.
- Allow gpg_t to manage all gnome files
- Add filename transition for .quakelive
- Add unconfined_munin_plugin_t
- Allow httpd_t to read munin conf files
- Add additional labeling for munin cgi scripts
- Add labeling for texlive bash scripts
- Allow NM to transition to l2tpd
- Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label.
policy-F16.patch | 458 +++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 27 +++-
2 files changed, 337 insertions(+), 148 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index d46167e..6c559a0 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -64435,7 +64435,7 @@ index 4f7bd3c..9143343 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..159414a 100644
+index 7090dae..b8d3cdc 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
@@ -64567,7 +64567,7 @@ index 7090dae..159414a 100644
icecast_signal(logrotate_t)
')
-@@ -194,15 +216,19 @@ optional_policy(`
+@@ -194,15 +216,23 @@ optional_policy(`
')
optional_policy(`
@@ -64578,17 +64578,20 @@ index 7090dae..159414a 100644
')
optional_policy(`
-- psad_domtrans(logrotate_t)
+ polipo_named_filetrans_log_files(logrotate_t)
++')
++
++optional_policy(`
+ psad_domtrans(logrotate_t)
')
+optional_policy(`
-+ psad_domtrans(logrotate_t)
++ raid_domtrans_mdadm(logrotate_t)
+')
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -217,6 +243,11 @@ optional_policy(`
+@@ -217,6 +247,11 @@ optional_policy(`
')
optional_policy(`
@@ -64600,7 +64603,7 @@ index 7090dae..159414a 100644
squid_domtrans(logrotate_t)
')
-@@ -228,3 +259,14 @@ optional_policy(`
+@@ -228,3 +263,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -64632,7 +64635,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..5c04f2d 100644
+index 75ce30f..d86a8d6 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@@ -64714,7 +64717,14 @@ index 75ce30f..5c04f2d 100644
files_getattr_all_file_type_fs(logwatch_t)
')
-@@ -145,3 +164,24 @@ optional_policy(`
+@@ -142,6 +161,31 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ raid_domtrans_mdadm(logwatch_t)
++')
++
++optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -66455,7 +66465,7 @@ index 47a8f7d..073691f 100644
optional_policy(`
diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
-index c8ef84b..c761721 100644
+index c8ef84b..395e8a0 100644
--- a/policy/modules/admin/sectoolm.te
+++ b/policy/modules/admin/sectoolm.te
@@ -8,6 +8,7 @@ policy_module(sectoolm, 1.0.0)
@@ -66466,15 +66476,6 @@ index c8ef84b..c761721 100644
type sectool_var_lib_t;
files_type(sectool_var_lib_t)
-@@ -23,7 +24,7 @@ files_tmp_file(sectool_tmp_t)
- # sectool local policy
- #
-
--allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
-+allow sectoolm_t self:capability { dac_override net_admin sys_nice };
- allow sectoolm_t self:process { getcap getsched signull setsched };
- dontaudit sectoolm_t self:process { execstack execmem };
- allow sectoolm_t self:fifo_file rw_fifo_file_perms;
@@ -70,12 +71,6 @@ application_exec_all(sectoolm_t)
auth_use_nsswitch(sectoolm_t)
@@ -67703,10 +67704,20 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..388e1c5 100644
+index 441cf22..fd9c7ba 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
+@@ -49,6 +49,9 @@ type useradd_exec_t;
+ domain_obj_id_change_exemption(useradd_t)
+ init_system_domain(useradd_t, useradd_exec_t)
+
++type useradd_var_run_t;
++files_pid_file(useradd_var_run_t)
++
+ ########################################
+ #
+ # Chfn local policy
+@@ -71,6 +74,7 @@ allow chfn_t self:unix_stream_socket connectto;
kernel_read_system_state(chfn_t)
kernel_read_kernel_sysctls(chfn_t)
@@ -67714,7 +67725,7 @@ index 441cf22..388e1c5 100644
selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
-@@ -79,25 +80,26 @@ selinux_compute_create_context(chfn_t)
+@@ -79,25 +83,26 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -67747,7 +67758,7 @@ index 441cf22..388e1c5 100644
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)
-@@ -105,6 +107,7 @@ files_dontaudit_search_home(chfn_t)
+@@ -105,6 +110,7 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@@ -67755,7 +67766,7 @@ index 441cf22..388e1c5 100644
miscfiles_read_localization(chfn_t)
-@@ -113,11 +116,23 @@ logging_send_syslog_msg(chfn_t)
+@@ -113,11 +119,23 @@ logging_send_syslog_msg(chfn_t)
# uses unix_chkpwd for checking passwords
seutil_dontaudit_search_config(chfn_t)
@@ -67779,7 +67790,7 @@ index 441cf22..388e1c5 100644
########################################
#
# Crack local policy
-@@ -193,9 +208,10 @@ selinux_compute_access_vector(groupadd_t)
+@@ -193,9 +211,10 @@ selinux_compute_access_vector(groupadd_t)
selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -67792,7 +67803,7 @@ index 441cf22..388e1c5 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -203,8 +219,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -203,8 +222,8 @@ init_dontaudit_write_utmp(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -67802,7 +67813,7 @@ index 441cf22..388e1c5 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -219,9 +235,10 @@ miscfiles_read_localization(groupadd_t)
+@@ -219,9 +238,10 @@ miscfiles_read_localization(groupadd_t)
auth_domtrans_chk_passwd(groupadd_t)
auth_rw_lastlog(groupadd_t)
auth_use_nsswitch(groupadd_t)
@@ -67814,7 +67825,7 @@ index 441cf22..388e1c5 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -269,6 +286,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -269,6 +289,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -67822,7 +67833,7 @@ index 441cf22..388e1c5 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -277,6 +295,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -277,6 +298,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -67830,7 +67841,7 @@ index 441cf22..388e1c5 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -291,26 +310,30 @@ selinux_compute_create_context(passwd_t)
+@@ -291,26 +313,30 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -67866,7 +67877,7 @@ index 441cf22..388e1c5 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +346,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +349,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -67875,7 +67886,7 @@ index 441cf22..388e1c5 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +355,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +358,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -67883,7 +67894,7 @@ index 441cf22..388e1c5 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,9 +405,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,9 +408,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -67896,7 +67907,7 @@ index 441cf22..388e1c5 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -396,7 +421,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -396,7 +424,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -67904,7 +67915,7 @@ index 441cf22..388e1c5 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,7 +450,8 @@ optional_policy(`
+@@ -426,7 +453,8 @@ optional_policy(`
# Useradd local policy
#
@@ -67914,7 +67925,18 @@ index 441cf22..388e1c5 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,29 +473,31 @@ corecmd_exec_shell(useradd_t)
+@@ -441,6 +469,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+ allow useradd_t self:unix_dgram_socket sendto;
+ allow useradd_t self:unix_stream_socket connectto;
+
++manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
++manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
++files_pid_filetrans(useradd_t, useradd_var_run_t, dir)
++
+ # for getting the number of groups
+ kernel_read_kernel_sysctls(useradd_t)
+
+@@ -448,29 +480,31 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -67956,7 +67978,7 @@ index 441cf22..388e1c5 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -478,6 +505,7 @@ auth_rw_faillog(useradd_t)
+@@ -478,6 +512,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -67964,7 +67986,7 @@ index 441cf22..388e1c5 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -490,29 +518,31 @@ logging_send_syslog_msg(useradd_t)
+@@ -490,29 +525,31 @@ logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
@@ -70508,7 +70530,7 @@ index f5afe78..dbf40ce 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..c06597b 100644
+index 2505654..ab3d95f 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0)
@@ -70632,7 +70654,7 @@ index 2505654..c06597b 100644
+# gnome-system-monitor-mechanisms local policy
+#
+
-+allow gnomesystemmm_t self:capability sys_nice;
++allow gnomesystemmm_t self:capability { sys_nice sys_admin };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
@@ -70873,7 +70895,7 @@ index 40e0a2a..2f0feca 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..df2f70c 100644
+index 9050e8c..3c7ec94 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -70972,7 +70994,7 @@ index 9050e8c..df2f70c 100644
- fs_manage_cifs_dirs(gpg_t)
- fs_manage_cifs_files(gpg_t)
+optional_policy(`
-+ gnome_read_config(gpg_t)
++ gnome_manage_config(gpg_t)
+ gnome_stream_connect_gkeyringd(gpg_t)
')
@@ -72036,10 +72058,10 @@ index dff0f12..ecab36d 100644
init_dbus_chat_script(mono_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..64d260e 100644
+index 93ac529..2985694 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
-@@ -1,8 +1,18 @@
+@@ -1,8 +1,19 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -72050,6 +72072,7 @@ index 93ac529..64d260e 100644
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -72058,7 +72081,7 @@ index 93ac529..64d260e 100644
#
# /bin
-@@ -14,16 +24,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -14,16 +25,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -72097,7 +72120,7 @@ index 93ac529..64d260e 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..0202c5e 100644
+index fbb5c5a..b644095 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -72240,7 +72263,7 @@ index fbb5c5a..0202c5e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +361,119 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,121 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -72360,15 +72383,17 @@ index fbb5c5a..0202c5e 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..836ce1c 100644
+index 2e9318b..1f50723 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3)
@@ -72628,7 +72653,7 @@ index 2e9318b..836ce1c 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,15 +418,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +418,24 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -72638,6 +72663,7 @@ index 2e9318b..836ce1c 100644
fs_getattr_all_fs(mozilla_plugin_t)
fs_list_dos(mozilla_plugin_t)
fs_read_dos_files(mozilla_plugin_t)
++fs_read_hugetlbfs_files(mozilla_plugin_t)
+application_exec(mozilla_plugin_t)
application_dontaudit_signull(mozilla_plugin_t)
@@ -72652,7 +72678,7 @@ index 2e9318b..836ce1c 100644
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -383,34 +447,31 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,34 +448,31 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -72702,7 +72728,7 @@ index 2e9318b..836ce1c 100644
')
optional_policy(`
-@@ -421,24 +482,35 @@ optional_policy(`
+@@ -421,24 +483,35 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -72742,7 +72768,7 @@ index 2e9318b..836ce1c 100644
')
optional_policy(`
-@@ -446,10 +518,108 @@ optional_policy(`
+@@ -446,10 +519,108 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -72784,7 +72810,7 @@ index 2e9318b..836ce1c 100644
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
-+dev_search_sysfs(mozilla_plugin_config_t)
++dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
@@ -76720,10 +76746,10 @@ index 0000000..9127cec
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..9dabeec
+index 0000000..6da5d27
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,131 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -76851,6 +76877,10 @@ index 0000000..9dabeec
+ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
+ gnome_cache_filetrans(thumb_t, thumb_home_t, file)
+')
++
++optional_policy(`
++ sssd_dontaudit_stream_connect(thumb_t)
++')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index f50789e..9ba6da8 100644
--- a/policy/modules/apps/thunderbird.te
@@ -77583,7 +77613,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..51cbfbf 100644
+index 3fae11a..4151c84 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -77852,7 +77882,7 @@ index 3fae11a..51cbfbf 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +331,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +331,20 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -77862,6 +77892,7 @@ index 3fae11a..51cbfbf 100644
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
++/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd) gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -77873,7 +77904,7 @@ index 3fae11a..51cbfbf 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +355,12 @@ ifdef(`distro_redhat', `
+@@ -306,10 +356,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -77888,7 +77919,7 @@ index 3fae11a..51cbfbf 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +370,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +371,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -77900,7 +77931,7 @@ index 3fae11a..51cbfbf 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +416,22 @@ ifdef(`distro_redhat', `
+@@ -363,20 +417,22 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -77927,7 +77958,7 @@ index 3fae11a..51cbfbf 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +440,13 @@ ifdef(`distro_suse', `
+@@ -385,3 +441,13 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -81786,7 +81817,7 @@ index 6a1e4d1..82432bb 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..9934739 100644
+index fae1ab1..d2a67e0 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -81891,7 +81922,7 @@ index fae1ab1..9934739 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +202,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +202,271 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -81991,6 +82022,10 @@ index fae1ab1..9934739 100644
+')
+
+optional_policy(`
++ postgresql_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ postfix_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -88300,7 +88335,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..34d3702 100644
+index e14b961..47b47fa 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,69 @@ policy_module(sysadm, 2.2.1)
@@ -88492,14 +88527,14 @@ index e14b961..34d3702 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-+ kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -88581,7 +88616,7 @@ index e14b961..34d3702 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,31 +331,32 @@ optional_policy(`
+@@ -253,31 +331,36 @@ optional_policy(`
')
optional_policy(`
@@ -88591,37 +88626,41 @@ index e14b961..34d3702 100644
optional_policy(`
- quota_run(sysadm_t, sysadm_r)
-+ prelink_run(sysadm_t, sysadm_r)
++ postgresql_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- raid_run_mdadm(sysadm_r, sysadm_t)
-+ puppet_run_puppetca(sysadm_t, sysadm_r)
++ prelink_run(sysadm_t, sysadm_r)
')
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-+ quota_filetrans_named_content(sysadm_t)
++ puppet_run_puppetca(sysadm_t, sysadm_r)
')
optional_policy(`
- rpc_domtrans_nfsd(sysadm_t)
-+ raid_domtrans_mdadm(sysadm_t)
++ quota_filetrans_named_content(sysadm_t)
')
optional_policy(`
- rpm_run(sysadm_t, sysadm_r)
-+ rpc_domtrans_nfsd(sysadm_t)
++ raid_domtrans_mdadm(sysadm_t)
')
optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
++ rpc_domtrans_nfsd(sysadm_t)
++')
++
++optional_policy(`
+ rpm_run(sysadm_t, sysadm_r)
+ rpm_dbus_chat(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -302,12 +381,18 @@ optional_policy(`
+@@ -302,12 +385,18 @@ optional_policy(`
')
optional_policy(`
@@ -88641,7 +88680,7 @@ index e14b961..34d3702 100644
')
optional_policy(`
-@@ -332,7 +417,18 @@ optional_policy(`
+@@ -332,7 +421,18 @@ optional_policy(`
')
optional_policy(`
@@ -88661,7 +88700,7 @@ index e14b961..34d3702 100644
')
optional_policy(`
-@@ -343,19 +439,15 @@ optional_policy(`
+@@ -343,19 +443,15 @@ optional_policy(`
')
optional_policy(`
@@ -88683,7 +88722,7 @@ index e14b961..34d3702 100644
')
optional_policy(`
-@@ -367,45 +459,46 @@ optional_policy(`
+@@ -367,45 +463,46 @@ optional_policy(`
')
optional_policy(`
@@ -88741,7 +88780,7 @@ index e14b961..34d3702 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +511,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +515,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -88752,7 +88791,7 @@ index e14b961..34d3702 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +528,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +532,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -88760,7 +88799,7 @@ index e14b961..34d3702 100644
')
optional_policy(`
-@@ -446,11 +536,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +540,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -92796,7 +92835,7 @@ index 6480167..ba0521d 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..84f1297 100644
+index 3136c6a..30b1abf 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,275 @@ policy_module(apache, 2.2.1)
@@ -93588,7 +93627,7 @@ index 3136c6a..84f1297 100644
')
optional_policy(`
-@@ -556,7 +891,21 @@ optional_policy(`
+@@ -556,7 +891,25 @@ optional_policy(`
')
optional_policy(`
@@ -93605,12 +93644,16 @@ index 3136c6a..84f1297 100644
+')
+
+optional_policy(`
++ munin_read_config(httpd_t)
++')
++
++optional_policy(`
# Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +916,7 @@ optional_policy(`
+@@ -567,6 +920,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -93618,7 +93661,7 @@ index 3136c6a..84f1297 100644
')
optional_policy(`
-@@ -577,6 +927,61 @@ optional_policy(`
+@@ -577,6 +931,61 @@ optional_policy(`
')
optional_policy(`
@@ -93680,7 +93723,7 @@ index 3136c6a..84f1297 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +996,11 @@ optional_policy(`
+@@ -591,6 +1000,11 @@ optional_policy(`
')
optional_policy(`
@@ -93692,7 +93735,7 @@ index 3136c6a..84f1297 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +1013,12 @@ optional_policy(`
+@@ -603,6 +1017,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -93705,7 +93748,7 @@ index 3136c6a..84f1297 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +1032,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +1036,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -93718,7 +93761,7 @@ index 3136c6a..84f1297 100644
########################################
#
-@@ -654,28 +1074,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1078,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -93762,7 +93805,7 @@ index 3136c6a..84f1297 100644
')
########################################
-@@ -685,6 +1107,8 @@ optional_policy(`
+@@ -685,6 +1111,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -93771,7 +93814,7 @@ index 3136c6a..84f1297 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1123,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1127,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -93797,7 +93840,7 @@ index 3136c6a..84f1297 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1169,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1173,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -93830,7 +93873,7 @@ index 3136c6a..84f1297 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1216,25 @@ optional_policy(`
+@@ -769,6 +1220,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -93856,7 +93899,7 @@ index 3136c6a..84f1297 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1255,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1259,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -93874,7 +93917,7 @@ index 3136c6a..84f1297 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1274,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1278,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -93931,7 +93974,7 @@ index 3136c6a..84f1297 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1325,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1329,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -93972,7 +94015,7 @@ index 3136c6a..84f1297 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1370,20 @@ optional_policy(`
+@@ -842,10 +1374,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -93993,7 +94036,7 @@ index 3136c6a..84f1297 100644
')
########################################
-@@ -891,11 +1429,146 @@ optional_policy(`
+@@ -891,11 +1433,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -95863,10 +95906,10 @@ index 0000000..a66b2ff
+')
diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
new file mode 100644
-index 0000000..84d98ac
+index 0000000..5d4c339
--- /dev/null
+++ b/policy/modules/services/blueman.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,85 @@
+policy_module(blueman, 1.0.0)
+
+########################################
@@ -95876,52 +95919,67 @@ index 0000000..84d98ac
+
+type blueman_t;
+type blueman_exec_t;
-+dbus_system_domain(blueman_t, blueman_exec_t)
+init_daemon_domain(blueman_t, blueman_exec_t)
+
+type blueman_var_lib_t;
+files_type(blueman_var_lib_t)
+
++type blueman_var_run_t;
++files_pid_file(blueman_var_run_t)
++
+########################################
+#
+# blueman local policy
+#
+
+allow blueman_t self:capability { net_admin sys_nice };
-+allow blueman_t self:process setsched;
++allow blueman_t self:process { execmem signal_perms setsched };
+
+allow blueman_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
+manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
-+files_var_lib_filetrans(blueman_t, blueman_var_lib_t, { file dir })
++files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir)
++
++manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
++manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
++files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
+
+kernel_read_system_state(blueman_t)
+kernel_request_load_module(blueman_t)
++kernel_read_net_sysctls(blueman_t)
+
+corecmd_exec_bin(blueman_t)
+
+dev_read_rand(blueman_t)
+dev_read_urand(blueman_t)
+dev_rw_wireless(blueman_t)
++dev_rwx_zero(blueman_t)
+
+domain_use_interactive_fds(blueman_t)
+
+files_read_etc_files(blueman_t)
+files_read_usr_files(blueman_t)
++files_list_tmp(blueman_t)
+
+auth_use_nsswitch(blueman_t)
-+auth_read_passwd(blueman_t)
+
+logging_send_syslog_msg(blueman_t)
+
+miscfiles_read_localization(blueman_t)
+
++sysnet_domtrans_ifconfig(blueman_t)
++sysnet_dns_name_resolve(blueman_t)
++
+optional_policy(`
+ avahi_domtrans(blueman_t)
+')
+
+optional_policy(`
++ dbus_system_domain(blueman_t, blueman_exec_t)
++')
++
++optional_policy(`
+ dnsmasq_domtrans(blueman_t)
+ dnsmasq_read_pid_files(blueman_t)
+')
@@ -95931,6 +95989,10 @@ index 0000000..84d98ac
+')
+
+optional_policy(`
++ iptables_domtrans(blueman_t)
++')
++
++optional_policy(`
+ xserver_read_state_xdm(blueman_t)
+')
diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
@@ -118619,10 +118681,21 @@ index 64268e4..58ec9a6 100644
+ uucp_manage_spool(user_mail_domain)
+')
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
-index fd71d69..d51cb65 100644
+index fd71d69..eb247eb 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
-@@ -41,6 +41,9 @@
+@@ -4,7 +4,9 @@
+ /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+ /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+ /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+-/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
++
++# label all plugins as unconfined_munin_plugin_exec_t
++/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
+
+ # disk plugins
+ /usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+@@ -41,6 +43,9 @@
/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
@@ -118632,7 +118705,7 @@ index fd71d69..d51cb65 100644
# system plugins
/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -51,6 +54,7 @@
+@@ -51,6 +56,7 @@
/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@@ -118640,7 +118713,7 @@ index fd71d69..d51cb65 100644
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -58,12 +62,15 @@
+@@ -58,12 +64,16 @@
/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@@ -118656,6 +118729,7 @@ index fd71d69..d51cb65 100644
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index c358d8f..7c097ec 100644
--- a/policy/modules/services/munin.if
@@ -118753,7 +118827,7 @@ index c358d8f..7c097ec 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..ec75d02 100644
+index f17583b..77a46b3 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -118765,7 +118839,7 @@ index f17583b..ec75d02 100644
type munin_t alias lrrd_t;
type munin_exec_t alias lrrd_exec_t;
init_daemon_domain(munin_t, munin_exec_t)
-@@ -24,15 +26,16 @@ files_tmp_file(munin_tmp_t)
+@@ -24,23 +26,25 @@ files_tmp_file(munin_tmp_t)
type munin_var_lib_t alias lrrd_var_lib_t;
files_type(munin_var_lib_t)
@@ -118783,9 +118857,10 @@ index f17583b..ec75d02 100644
munin_plugin_template(services)
-
munin_plugin_template(system)
++munin_plugin_template(unconfined)
########################################
-@@ -40,7 +43,7 @@ munin_plugin_template(system)
+ #
# Local policy
#
@@ -118794,7 +118869,7 @@ index f17583b..ec75d02 100644
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -71,9 +74,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -71,9 +75,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
files_search_var_lib(munin_t)
@@ -118808,7 +118883,7 @@ index f17583b..ec75d02 100644
kernel_read_system_state(munin_t)
kernel_read_network_state(munin_t)
-@@ -116,6 +122,7 @@ logging_read_all_logs(munin_t)
+@@ -116,6 +123,7 @@ logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
@@ -118816,7 +118891,7 @@ index f17583b..ec75d02 100644
sysnet_exec_ifconfig(munin_t)
-@@ -128,6 +135,11 @@ optional_policy(`
+@@ -128,6 +136,11 @@ optional_policy(`
manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
apache_search_sys_content(munin_t)
@@ -118828,7 +118903,7 @@ index f17583b..ec75d02 100644
')
optional_policy(`
-@@ -145,6 +157,7 @@ optional_policy(`
+@@ -145,6 +158,7 @@ optional_policy(`
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
@@ -118836,7 +118911,7 @@ index f17583b..ec75d02 100644
mta_read_queue(munin_t)
')
-@@ -155,10 +168,13 @@ optional_policy(`
+@@ -155,10 +169,13 @@ optional_policy(`
optional_policy(`
netutils_domtrans_ping(munin_t)
@@ -118850,7 +118925,7 @@ index f17583b..ec75d02 100644
')
optional_policy(`
-@@ -182,6 +198,7 @@ optional_policy(`
+@@ -182,6 +199,7 @@ optional_policy(`
# local policy for disk plugins
#
@@ -118858,7 +118933,7 @@ index f17583b..ec75d02 100644
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -192,13 +209,16 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+@@ -192,13 +210,16 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
files_read_etc_files(disk_munin_plugin_t)
files_read_etc_runtime_files(disk_munin_plugin_t)
@@ -118878,7 +118953,7 @@ index f17583b..ec75d02 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -217,34 +237,57 @@ optional_policy(`
+@@ -217,34 +238,57 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -118899,17 +118974,17 @@ index f17583b..ec75d02 100644
+optional_policy(`
+ exim_read_log(mail_munin_plugin_t)
+')
-
--mta_read_config(mail_munin_plugin_t)
--mta_send_mail(mail_munin_plugin_t)
--mta_read_queue(mail_munin_plugin_t)
++
+optional_policy(`
+ mta_read_config(mail_munin_plugin_t)
+ mta_send_mail(mail_munin_plugin_t)
+ mta_list_queue(mail_munin_plugin_t)
+ mta_read_queue(mail_munin_plugin_t)
+')
-+
+
+-mta_read_config(mail_munin_plugin_t)
+-mta_send_mail(mail_munin_plugin_t)
+-mta_read_queue(mail_munin_plugin_t)
+optional_policy(`
+ nscd_socket_use(mail_munin_plugin_t)
+')
@@ -118942,7 +119017,7 @@ index f17583b..ec75d02 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +298,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +299,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -118957,7 +119032,7 @@ index f17583b..ec75d02 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +319,10 @@ optional_policy(`
+@@ -279,6 +320,10 @@ optional_policy(`
')
optional_policy(`
@@ -118968,7 +119043,7 @@ index f17583b..ec75d02 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +330,10 @@ optional_policy(`
+@@ -286,6 +331,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -118979,7 +119054,7 @@ index f17583b..ec75d02 100644
##################################
#
# local policy for system plugins
-@@ -295,13 +343,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,13 +344,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -118996,7 +119071,7 @@ index f17583b..ec75d02 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +360,43 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +361,52 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -119040,6 +119115,15 @@ index f17583b..ec75d02 100644
+optional_policy(`
+ nscd_socket_use(munin_plugin_domain)
+')
++
++######################################
++#
++# Unconfined plugin local policy
++#
++
++optional_policy(`
++ unconfined_domain(unconfined_munin_plugin_t)
++')
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
index cc7192c..cb169dc 100644
--- a/policy/modules/services/mysql.fc
@@ -120205,7 +120289,7 @@ index 2324d9e..a26865a 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..9a5791f 100644
+index 0619395..288addf 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -120386,7 +120470,7 @@ index 0619395..9a5791f 100644
')
optional_policy(`
-@@ -202,23 +261,45 @@ optional_policy(`
+@@ -202,23 +261,49 @@ optional_policy(`
')
optional_policy(`
@@ -120405,6 +120489,10 @@ index 0619395..9a5791f 100644
')
optional_policy(`
++ l2tpd_domtrans(NetworkManager_t)
++')
++
++optional_policy(`
+ netutils_exec_ping(NetworkManager_t)
+')
+
@@ -120432,7 +120520,7 @@ index 0619395..9a5791f 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +315,10 @@ optional_policy(`
+@@ -234,6 +319,10 @@ optional_policy(`
')
optional_policy(`
@@ -120443,7 +120531,7 @@ index 0619395..9a5791f 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +326,7 @@ optional_policy(`
+@@ -241,6 +330,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -120451,7 +120539,7 @@ index 0619395..9a5791f 100644
')
optional_policy(`
-@@ -254,6 +340,10 @@ optional_policy(`
+@@ -254,6 +344,10 @@ optional_policy(`
')
optional_policy(`
@@ -120462,7 +120550,7 @@ index 0619395..9a5791f 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +353,7 @@ optional_policy(`
+@@ -263,6 +357,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -128035,7 +128123,7 @@ index 7257526..7d73656 100644
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index f03fad4..136ad0a 100644
+index f03fad4..c018411 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -10,10 +10,11 @@
@@ -128053,7 +128141,7 @@ index f03fad4..136ad0a 100644
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-@@ -28,9 +29,9 @@ ifdef(`distro_redhat', `
+@@ -28,9 +29,10 @@ ifdef(`distro_redhat', `
#
/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
@@ -128062,17 +128150,18 @@ index f03fad4..136ad0a 100644
/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
-@@ -45,4 +46,4 @@ ifdef(`distro_redhat', `
+@@ -45,4 +47,4 @@ ifdef(`distro_redhat', `
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 09aeffa..e66adbd 100644
+index 09aeffa..d4de043 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
@@ -128208,7 +128297,37 @@ index 09aeffa..e66adbd 100644
')
########################################
-@@ -531,33 +551,38 @@ interface(`postgresql_unconfined',`
+@@ -515,6 +535,29 @@ interface(`postgresql_unconfined',`
+
+ ########################################
+ ## <summary>
++## Transition to postgresql named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postgresql_filetrans_named_content',`
++ gen_require(`
++ type postgresql_db_t;
++ type postgresql_log_t;
++ ')
++
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql")
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres")
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql")
++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile")
++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log")
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate an postgresql environment
+ ## </summary>
+ ## <param name="domain">
+@@ -531,35 +574,41 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@@ -128255,8 +128374,11 @@ index 09aeffa..e66adbd 100644
admin_pattern($1, postgresql_tmp_t)
postgresql_tcp_connect($1)
+ postgresql_stream_connect($1)
++ postgresql_filetrans_named_content($1)
+ ')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4a5387a..3124e96 100644
+index 4a5387a..6e3511a 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,16 +19,16 @@ gen_require(`
@@ -128291,7 +128413,14 @@ index 4a5387a..3124e96 100644
allow postgresql_t self:netlink_selinux_socket create_socket_perms;
allow postgresql_t sepgsql_database_type:db_database *;
-@@ -241,7 +241,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+@@ -235,13 +235,13 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+-files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
++postgresql_filetrans_named_content(postgresql_t)
+
+ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
@@ -137046,7 +137175,7 @@ index adea9f9..145adbd 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 606a098..522fb54 100644
+index 606a098..6ac09f1 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
@@ -137098,6 +137227,15 @@ index 606a098..522fb54 100644
libs_exec_ld_so(fsdaemon_t)
libs_exec_lib_files(fsdaemon_t)
+@@ -119,3 +132,8 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(fsdaemon_t)
+ ')
++
++mcs_file_read_all(fsdaemon_t)
++optional_policy(`
++ virt_read_images(fsdaemon_t)
++')
diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
index 8265278..017b923 100644
--- a/policy/modules/services/smokeping.if
@@ -137767,7 +137905,7 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..8cd21e0 100644
+index ec1eb1e..d25cf4e 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,56 +6,41 @@ policy_module(spamassassin, 2.4.0)
@@ -138238,7 +138376,7 @@ index ec1eb1e..8cd21e0 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -451,3 +568,53 @@ optional_policy(`
+@@ -451,3 +568,56 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -138264,6 +138402,8 @@ index ec1eb1e..8cd21e0 100644
+
+allow spamd_update_t spamd_tmp_t:file read_file_perms;
+
++allow spamd_update_t spamc_home_t:dir search_dir_perms;
++
+kernel_read_system_state(spamd_update_t)
+
+# for updating rules
@@ -138286,6 +138426,7 @@ index ec1eb1e..8cd21e0 100644
+
+mta_read_config(spamd_update_t)
+
++userdom_search_admin_dir(spamd_update_t)
+userdom_use_inherited_user_ptys(spamd_update_t)
+
+optional_policy(`
@@ -139655,7 +139796,7 @@ index 4271815..4bc00ea 100644
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
-index 941380a..e1095f0 100644
+index 941380a..033e9ca 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -5,9 +5,9 @@
@@ -139711,7 +139852,32 @@ index 941380a..e1095f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -225,21 +227,18 @@ interface(`sssd_stream_connect',`
+@@ -210,6 +212,24 @@ interface(`sssd_stream_connect',`
+ stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
+ ')
+
++#######################################
++## <summary>
++## Dontaudit attempts to connect to sssd over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_dontaudit_stream_connect',`
++ gen_require(`
++ type sssd_t;
++ ')
++
++ dontaudit $1 sssd_t:unix_stream_socket connectto;
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -225,21 +245,18 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1162a91..3192b2b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 166%{?dist}
+Release: 167%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,7 +479,30 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Thu Dec 3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-166
+* Mon Feb 4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-167
+- Fix dup decl for munin plugins
+- Allow logwatch to domtrans to mdadm
+- Backport blueman policy from F18
+- Allow mozilla-plugin-config to read power_supply info
+- Allow fsdaemon to read virt images
+- Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it
+- Allow sa-update to search admin home for /root/.spamassassin
+- Dontaudit attempts from thumb_t to connect to sssd
+- Add labeling and filename transition for .grl-podcasts
+- Allow mozilla_plugin_t to read files on hugetlbfs
+- Allow gnomesystemmm_t caps because of ioprio_set
+- Allow logrotate to domtrans to mdadm_t
+- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data.
+- Allow gpg_t to manage all gnome files
+- Add filename transition for .quakelive
+- Add unconfined_munin_plugin_t
+- Allow httpd_t to read munin conf files
+- Add additional labeling for munin cgi scripts
+- Add labeling for texlive bash scripts
+- Allow NM to transition to l2tpd
+- Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label.
+
+* Thu Jan 3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-166
- Allow gpsd_t to setattr on usbtty_device
- Allow mail_munin_plugins domain to run postconf
- Dontaudit reading of domain states for mozilla-plugin-config
More information about the scm-commits
mailing list